PhotronicsBridgend
asked on
multiple 2003 active directory domains into tree
Hello all,
The company I work for has multiple physical sites around the world, each site has thier own independant 2003 server active directory domain setup. All running off seperate DNS (some UNIX bind, some microsoft dns). We also have a top level AD domain that is utilised for exchange mail. We were looking @ replacing all these seperate domains with a single domain running off MS dns, but this has been deemed unworkable due to the need to have a PDC emulator @ each site to allow for older MS systems & unix to authenticate to regardless of the status of the wan link. Therefor the plan is to create a tree structure joining all the different domains together allowing for us to share resources & have a single sign on (we currently have multiple password for different services) etc etc.
company.com (top level AD only utilised for exchange mail)
eu.compnay.com (another site AD used for full services)
ad.company.com (another site AD used for full services)
xm.company.com (another site AD used for full services)
etc etc
I wanted to check to ensure
A) this is possible
B) whether this arcitecture will allow single sign on
C) possible methods of deployment considering these domains are already present
D) if there are any major issues with this apporach
Many thanks....
The company I work for has multiple physical sites around the world, each site has thier own independant 2003 server active directory domain setup. All running off seperate DNS (some UNIX bind, some microsoft dns). We also have a top level AD domain that is utilised for exchange mail. We were looking @ replacing all these seperate domains with a single domain running off MS dns, but this has been deemed unworkable due to the need to have a PDC emulator @ each site to allow for older MS systems & unix to authenticate to regardless of the status of the wan link. Therefor the plan is to create a tree structure joining all the different domains together allowing for us to share resources & have a single sign on (we currently have multiple password for different services) etc etc.
company.com (top level AD only utilised for exchange mail)
eu.compnay.com (another site AD used for full services)
ad.company.com (another site AD used for full services)
xm.company.com (another site AD used for full services)
etc etc
I wanted to check to ensure
A) this is possible
B) whether this arcitecture will allow single sign on
C) possible methods of deployment considering these domains are already present
D) if there are any major issues with this apporach
Many thanks....
ASKER
Hay Brian, thanks for that. A few further questions spring to mind then:-
So how would user authentication work then. Would you just have all the user accounts in the root domain & the child domains would look to it to authenticate the user when they logged on? How is it configured?
company.com top level AD only utilised for exchange mail containing all the user accounts
eu.compnay.com this child domain would look to company.com to authenticate its users
Cheers,
So how would user authentication work then. Would you just have all the user accounts in the root domain & the child domains would look to it to authenticate the user when they logged on? How is it configured?
company.com top level AD only utilised for exchange mail containing all the user accounts
eu.compnay.com this child domain would look to company.com to authenticate its users
Cheers,
The accounts don't need to reside in your forest root domain.
Your clients should reside and authenticate into the child domain. Exchange however will be in the Forest root domain. The clients will still be able to access their email by using name resolution.
Brian
Your clients should reside and authenticate into the child domain. Exchange however will be in the Forest root domain. The clients will still be able to access their email by using name resolution.
Brian
ASKER
Is there any way of utilising our current domains & connecting them up to our parent domain removing the need for us to build & distribute new child domains?
The main objective is a single point of authentication for users logon & exchange mail that reside in different domains:-
company.com (top level AD only utilised for exchange mail)
eu.compnay.com (another site AD used for full services)
The main objective is a single point of authentication for users logon & exchange mail that reside in different domains:-
company.com (top level AD only utilised for exchange mail)
eu.compnay.com (another site AD used for full services)
Most companies use multiple domains when they want to have different password policies. If that isn't need then yes a single domain can work. You will want to must make sure that you use AD Sites well.
Brian
Brian
ASKER
& thats the problem! The initial thought was to build a singel domain replacing the multiple domains we have. BUT due to the fact that the unix systems @ each site (we are a manufacturer) authenticate against the PDC emulators on the site domain a single domain model doesnt allow enough redundancy. With a single domain structure, if the WAN goes down, then that site has no access to a PDC emulator & the unix systems go down (& so then does production).
This is why we require a strucure allowing independant PDC emulators per site but with world wide single signon including the exchange domain.
This is why we require a strucure allowing independant PDC emulators per site but with world wide single signon including the exchange domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks mkbean youve been very helpfully. I am busy testing hence the lack of responce on my part
B: Yes it will allow single sign on.
C: You will want to look into migration tools. Microsoft has a free one called ADMT that you could look at to do this with. It works great for small to medium size migrations. There are 3rd party tools that cost money that also do migrations really well.
D: Not really any issues. This is really a good layout. By have the domains broken out into geographic locations is good because you can have different security policies for different areas.
Brian